Network Filtering in a Virtualized Environment

1. A method of data processing, comprising: a physical host executing a virtual machine monitor (VMM) that instantiates at least one virtual machine (VM) separate from and hosted by the VMM, wherein the VM is configured as a virtual input/output server (VIOS) that provides input/output services for network communication; the VMM implementing a virtual switch, a virtual network, and a virtual router; utilizing the virtual switch and the virtual router of the VMM, performing routing and switching for network communication between a plurality of other VMs on the virtual network; the VIOS receiving a packet of network communication between the plurality of other VMs on the virtual network and, in response to receiving the packet, the VIOS determining by reference to a policy data structure a disposition of the packet of network communication, wherein the disposition is dropping the packet; caching, in a flow cache of the VMM, the disposition determined by the VIOS, wherein the disposition is cached in the flow cache in association with a key identifying a packet flow containing the packet; and thereafter, the VMM accessing the determined disposition in the flow cache and the VMM applying the determined disposition to a subsequent packet in the packet flow containing the packet by reference to the cached disposition and without reference to the policy data structure of the VIOS.

2. The method of claim 1 , wherein: the key is a hash key; and the method further comprises: generating the hash key from a tuple of header values in the subsequent packet, wherein the tuple includes at least a network address and an identifier of a protocol of the packet flow, wherein the protocol is above Layer 3; and the VMM accessing the determined disposition in the flow cache utilizing the generated hash key.

3. The method of claim 2 , wherein: the physical host includes a physical network interface; and the method further comprises implementing, in the VIOS, a second flow cache for filtering network traffic communicated via the physical network interface.

4. The method of claim 1 , wherein: the method includes the VIOS maintaining the policy data structure; and the policy data structure includes at least one bypass data structure identifying one or more of the plurality of other VMs for which no network filtering by the VIOS is to be enforced.

5. The method of claim 1 , wherein: the method includes the VIOS maintaining the policy data structure; the policy data structure includes an exclusion data structure identifying VMs among the plurality of other VMs excluded from network filtering; and the determining includes determining to forward packets within packet flows between VMs that are all identified in the exclusion data structure.

6. The method of claim 1 , wherein: the method includes the VIOS maintaining the policy data structure; and the policy data structure includes an allowed host data structure identifying at least one allowed VM among the plurality of other VMs with which a quarantined VM that is otherwise disallowed from utilizing network communication is permitted to communicate.

7. The method of claim 1 , wherein: the virtual network is a distributed virtual network spanning a plurality of physical data processing systems including the physical host; and the method further comprises executing the VIOS on a different physical data processing system than at least one of a source VM and a destination VM of the packet flow.